[tac_plus] Should optional A/V pair be sent?

Daniel Schmidt daniel.schmidt at wyo.gov
Mon Jan 23 15:33:43 UTC 2012


I also have noted that if you send a Cisco switch/router anything other
than "priv-lvl", they do not work.  One workaround is to use do_auth.  The
following example is brocade's traditional privlvl, but the same concept
should work with the brcd-role you describe. (Note, this is more to fix a
Cisco bug than a Brocade)  Simply put: If you match a brocade device and
find something that says "priv-lvl" replace it with "brocade-privlvl=5"

[brocade_disable]
host_allow =
        .*
device_permit =
	<list of brocade devices>
command_permit =
        .*
av_pairs =
        priv-lvl,brocade-privlvl=5

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Mick Day
Sent: Monday, January 23, 2012 4:31 AM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Should optional A/V pair be sent?

Hi Everyone,

I am having a problem with sending optional a/v pair from tac_plus, this
is related to post
http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html as
it now appears that the latest Brocade VDX code now supports optional a/v
pairs for 'brcd-role' the only problem is that when the NAS authenticates
with the server only the mandatory a/v pairs are being sent

My configuration is as follows:

group = admin {
       default service = permit
       service = exec {
          priv-lvl = 15
          optional brcd-role = admin
    }
}

The NAS only ever receives the a/v pair ' priv-lvl = 15' is this expected
behaviour?  If I reconfigure the 'brcd-role' to a mandatory it then sends
both 'priv-lvl' and 'brcd-role' but then this creates the same problem as
described in previous post
http://www.shrubbery.net/pipermail/tac_plus/2011-September/000978.html
where Cisco devices fail authorisation.

I have also tried the same with Cisco ACS and this sends both the
mandatory and optional a/v pairs allowing both devices to be able to
login.

I am unclear as to whether it is expected behaviour for server to send
optional a/v pairs by default?

_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction 
of public business,is subject to the Wyoming Public Records 
Act, and may be disclosed to third parties.



More information about the tac_plus mailing list